The Ministry of Electronics and Information Technology issued an advisory to all intermediaries on 26 December 2023, requiring them to proactively notify users about prohibited content and the obligation to report legal violations to policing agencies. All digital services that do not create the information or content that is shared/uploaded on their platform are required to comply with the advisory.
Previously, intermediaries were already required to notify users about prohibited content such as hate speech or content invading another’s privacy as part of their obligation under the Information Technology Rules 2021 (IT Rules). However, the latest advisory creates new obligations, beyond the remit of the IT Rules, whereas advisories are meant to serve only as clarificatory tools.
Decoding the advisory
The latest MeitY advisory reiterates a requirement under the IT Rules to inform users about prohibited content. However, it now requires digital intermediaries (like social media) to warn users about the prohibited content every time they log in, sign up or share/upload information. It is not a responsibility that such intermediaries can discharge with ease.
Notifications at the newly-prescribed frequency are unique to India. They seem difficult to implement and could also negatively impact a user’s experience. Imagine a scenario in which a user wants to share a meme with her friends, but is bombarded with constant pop-up messages asking “Is the content prohibited?” “Does it violate Rule 3(1)(b)?” “Are you certain about sharing this content?”. It will force her to dive deeper into a labyrinth of legalese and could make the experience of using a platform frustrating.
While periodic reminders are well-intentioned, incessant ones can backfire. The European Union’s experience with data protection is a cautionary tale of how good regulatory intentions can be onerous on users. After the implementation of the General Data Protection Regulation, there was a significant uptick in consent requests that users had to agree to in order to access content. These endless consent requests led to user frustration and the breeding of box-ticking compliance. One study indicates that 72 per cent of respondents feel annoyed by the number of times they have to encounter consent requests.
MeitY’s advisory states that the government will monitor compliance. However, it is unclear how the ministry will do so since the advisory requires near-continuous user notifications and consequently, absurd outcomes abound. Moreover, while the advisory was issued to all intermediaries, it has not been published on MeitY’s website. Non-compliance with the advisory can lead to revocation of safe harbour protections or the immunity from liability for actions of third parties (in this case, users). Yet, it was not publicly shared and to date, a Press Information Bureau bulletin is the only government-issued publication.
Also read: India’s digital economy isn’t broken. What is I&B ministry fixing by bringing OTT under it?
Beyond clarificatory tools
Advisories that exceed the remit of the law also raise important enforceability concerns. Are they legally binding or are they merely clarificatory tools? Are they enforceable (like laws) or are they closer to executive instructions with room for deviation? Indian courts have held that executive instructions, codes or guidelines, which have no statutory basis are not ‘laws’ under Article 13 of the Constitution. Due to their non-binding status, they only serve as a clarificatory or advisory tool. However, when advisories like the one issued by MeitY threaten liability in case of non-compliance, it creates confusion. For example, smaller firms that are boot-strapped for compliance may not have the means or legal and technical knowledge to understand or implement its contents.
As mere clarificatory tools, advisories are not subject to any regulatory, judicial or parliamentary oversight. However, when they are used as rule-making instruments, the lack of a review mechanism indicates little thought about their implementation. MeitY adopted a similar approach with the FAQs to the 2022 CERT-In breach reporting Directions. The non-legally binding FAQs were criticised for imposing obligations beyond their legal remit. For example, they required intermediaries to report breaches not listed in the directions and placed fresh reporting obligations on entities that merely noticed another company’s data breach.
Conversely, regulators such as the Federal Trade Commission (FTC) in the US have successfully utilised clarificatory tools for their intended purpose. It issues advisory opinions to clarify rules or decisions, often at the request of businesses or industry groups. These opinions provide a background and analysis to comprehensively clarify a legal position. Similarly, the EU issues Communications or non-binding guidelines that clarify existing legal obligations and provide recommendations for effective implementation of the law.
The MeitY advisory was a well-intentioned endeavour to ring an alarm bell and emphasise the need for intermediary accountability for user safety. However, it went beyond what the law requires, resulting in impractical compliance obligations. This is concerning because the advisory and the IT Rules make safe harbour immunities contingent on compliance. By not accounting for differences in compliance capacity, effects on user experience or assessing legal boundaries, the advisory creates new challenges instead of resolving existing ones. Specifically, endangering safe harbour protection as a consequence of non-compliance needs legal backing and must be revisited by MeitY. The government would do well to consult all stakeholders before issuing such advisories, to avoid legal and regulatory uncertainty.
The authors work at Koan Advisory Group, a technology policy consulting firm. Views are personal.
(Edited by Ratan Priya)